Under the DFARS or the FAR, the government can release software as open source software once it receives unlimited rights to that software. Continuous and broad peer-review, enabled by publicly available source code, improves software reliability and security through the identification and elimination of defects that might otherwise go unrecognized by the core development team. "acquire commercial services, commercial products, or nondevelopmental items other than commercial products to meet the needs of the agency; require prime contractors and subcontractors at all levels under the agency contracts to incorporate commercial services, commercial products, or nondevelopmental items other than commercial products as components of items supplied to the agency; modify requirements in appropriate cases to ensure that the requirements can be met by commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to agency solicitations; state specifications in terms that enable and encourage bidders and offerors to supply commercial services or commercial products or, to the extent that commercial products suitable to meet the agencys needs are not available, nondevelopmental items other than commercial products in response to the agency solicitations; revise the agencys procurement policies, practices, and procedures not required by law to reduce any impediments in those policies, practices, and procedures to the acquisition of commercial products and commercial services; and, require training of appropriate personnel in the acquisition of commercial products and commercial services.". OpenSSL - SSL/cryptographic library implementation, GNAT - Ada compiler suite (technically this is part of gcc), perl, Python, PHP, Ruby - Scripting languages, Samba - Windows - Unix/Linux interoperability. Enforcing the GNU GPL by Eben Moglen is a brief essay that argues why the GNU General Public License (GPL), specifically, is enforceable. Q: Is there a large risk that widely-used OSS unlawfully includes proprietary software (in violation of copyright)? As an aid, the Open Source Initiative (OSI) maintains a list of Licenses that are popular and widely used or with strong communities. Q: How can I avoid failure to comply with an OSS license? To provide Cybersecurity tools to . 37 African nations, US kickoff AACS 2023 in Senegal. Such software does not normally undergo widespread public review, indeed, the source code is typically not provided to the public and there are often license clauses that attempt to inhibit review further (e.g., forbidding reverse engineering and/or forbidding the public disclosure of analysis results). Air Force - (618)-229-6976, DSN 779. TCG LinkPRO, TCG BOSS, and TCG GTS all earn placement on DOD's OTI evaluated/approved products list. Other laws must still be obeyed. With practically no exceptions, successful open standards for software have OSS implementations. Tech must enable mission success. Control enhancement CM-7(8) states that an organization must prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code. The DoDIN APL is an acquisition decision support tool for DoD organizations interested in procuring equipment to add to the DISN to support their mission. Users can send bug reports to the distributor or trusted repository, just as they could for a proprietary program. Launch video (9:47) This can create an avalanche-like virtuous cycle. DoDIN Approved Products List. And of course, individual OSS projects often have security review processes or methods (such as Mozillas bounty system). The Apache 2.0 license is compatible with the GPL version 3 license, but not the GPL version 2 license. The Air Force thinks it's finally found a way. ), (See also GPL FAQ, Question Can the US Government release a program under the GNU GPL?). OSS can often be purchased (directly, or as a support contract), and such purchases often include some sort of indemnification. For advice about a specific situation, however, consult with legal counsel. Do not mistakenly use the term non-commercial software as a synonym for open source software. Thus, Open Source Intelligence (OSINT) is form of intelligence collection management that involves finding, selecting, and acquiring information from publicly available sources and analyzing it to produce actionable intelligence. OSS COTS tends to be lower cost than GOTS, in part for the same reasons as proprietary COTS: its costs are shared among more users. Using industry OSS project hosting services makes it easier to collaborate with other parties outside the U.S. DoD or U.S. government. Notepad, PowerShell, and Excel are great alternatives. Q: Is OSS commercial software? The products listed below are evaluated against a NIAP-approved Protection Profile, which encompasses the security requirements and test activities suitable across the technology with no EAL assigned - hence the conformance claim is "PP". A choice of venue clause is a clause that states where a dispute is to be resolved (e.g., which court). 2518(4)(B) says that, An article is a product of a country or instrumentality only if (i) it is wholly the growth, product, or manufacture of that country or instrumentality, or (ii) in the case of an article which consists in whole or in part of materials from another country or instrumentality, it has been substantially transformed into a new and different article of commerce with a name, character, or use distinct from that of the article or articles from which it was so transformed. The CBP also pointed out a ruling (Data General v. United States, 4 CIT 182 (1982)), that programming a PROM performed a substantial transformation. Contact Contracting. AFCWWTS 2021 BREAKOUT SESSION Coming Soon. What it does mean, however, is that the DoD will not reject consideration of a COTS product merely because it is OSS. Make sure its really OSS. I agree to abide by software copyrights and to comply with the terms of all licenses. Q: Is there any quantitative evidence that open source software can be as good as (or better than) proprietary software? Do you have permission to release to the public (classification, distribution statements, export controls)? However, if the GPL software must be mixed with other proprietary/classified software, the GPL terms must still be followed. CCRA Certificate. A very small percentage of such users determine that they can make a change valuable to them, and contribute it back (to avoid maintenance costs). Q: Do choice of venue clauses automatically disqualify OSS licences? One way to deal with potential export control issues is to make this request in the same way as approving public release of other data/documentation. 1342, Limitation on voluntary services. The services focus on bringing automated software tools, services and standards to DOD programs so that warfighters can create, deploy, and operate software applications in a secure, flexible, and . As of 2021, the terms freeware and shareware, do not appear to have official definitions used by the United States Government, but historically (for example in the now-superseded DoD Instruction 8500.2) these terms have been used specifically for software distributed without cost where the Government does not have access to the original source code. Thankfully, there are ways to reduce the risk of executing malicious code when using commercial software (both proprietary and OSS). However, the required FAR Clause 52.212-4(d) establishes that This contract is subject to the Contract Disputes Act of 1978, as amended (41 U.S.C. Also, since there are a limited number of users, there is limited opportunity to gain from user innovation - which again can lead to obsolescence. It's likely that peptides are in fact banned from the military, but until we get a straight answer we'll leave this question open-ended. The Creative Commons is a non-profit organization that provides free tools, including a set of licenses, to let authors, scientists, artists, and educators easily mark their creative work with the freedoms they want it to carry. The WHO was established on 7 April 1948. Q: What are Open Government Off-the-Shelf (OGOTS) or Government OSS (GOSS)? The first specific step towards the establishment of the United Nations was the Inter-Allied conference that led to the Declaration of St James's Palace on 12 June 1941. Q: Where can I release open source software that are new projects to the public? The red book explains its purpose; since an agency cannot directly obligate in excess or advance of its appropriations, it should not be able to accomplish the same thing indirectly by accepting ostensibly voluntary services and then presenting Congress with the bill, in the hope that Congress will recognize a moral obligation to pay for the benefits conferred. Clarence Carpenter. Once an invention is released to the public, the inventor has only one year to file for a patent, so any new ideas in some software must have a patent filed within one year by that inventor, or (in theory) they cannot be patented. Similarly, U.S. Code Title 41, Section 104 defines the term Commercially available off-the-shelf (COTS) item; software is COTS if it is (a) a commercial product, (b) sold in substantial quantities in the commercial marketplace, and (c) is offered to the Federal Government, without modification, in the same form in which it is sold in the commercial marketplace. Parties are innocent until proven guilty, so if there. There are valid business reasons, unrelated to security, that may lead a commercial company selling proprietary software to choose to hide source code (e.g., to reduce the risk of copyright infringement or the revelation of trade secrets). Although the government cannot directly sue for copyright violation, in such cases it can still sue for breach of license and, presumably, get injunctive relief to stop the breach and money damages to recover royalties obtained by breaching the license (and perhaps other damages as well). All new software products must go through the systems change request approval process and complete a satisfactory risk assessment. Cyberspace Capabilities Center Re-designation Ceremony Nov 7, 1300. (See also Publicly Releasing Open Source Software Developed for the U.S. Government by Dr.David A. Wheeler, DoD Software Tech News, February 2011.). This does not mean that existing OSS elements should always be chosen, but it means that they must be considered. Government lawyers and Contracting Officers are trained to try to negotiate licenses which resolve these ambiguities without having to rely on the less-satisfying Order of Precedence, but generally accede when licenses in question are non-negotiable, such as with OSS licenses in many cases. Use a widely-used existing license. More recent decisions, such as the 1982 decision B-204326 by the U.S. Comptroller General, continue to confirm this distinction between gratuitous and voluntary service. Depending on your goals, a trademark, service mark, or certification mark may be exactly what you need. In some cases, the government obtains the copyright; in those cases, the government can sue for copyright violation. Industry Partners / Employers. Software not subject to copyright is often called public domain software. A trademark is a word, phrase, symbol or design, or a combination thereof, that identifies and distinguishes the source of the goods of one party from those of others.. If the government has received copyright (e.g., because the FAR 52.227-17 or DFARS 252.227-7020 clauses apply) then the government can release the software as open source software. Q: When a DoD contractor is developing a new system/software as a deliverable in a typical DoD contract, is it possible to use existing software licensed using the GNU General Public License (GPL)? When taking this approach, contractors hired to modify the software must not retain copyright or other rights to the result (else the software would be conveyed outside the U.S. government); see GPL version 3 section 2, paragraph 2 which states this explicitly. OSS implementations can help create and keep open standards open. There are two versions of the GPL in widespread use: version 2 and version 3. Be sure to consider such costs over a period of time (typically the lifetime of the system including its upgrades), and use the same period when evaluating alternatives; otherwise, one-time costs (such as costs to transition from an existing proprietary system) can lead to erroneous conclusions. A protective license protects the software from becoming proprietary, and instead enforces a share and share alike approach between parties. If the OSS is intended for use on Linux/Unix systems, follow standard source installation release practices so that it is easier for users to install. The terms that apply to usage and redistribution tend to be trivially easy to meet (e.g., you must not remove the license or author credits when re-distributing the software). Of them, 40 Airmen voluntarily left the service and 14 officers retired, according to Undersecretary of the Air Force Gina Ortiz Jones at a House Armed Services Committee hearing Feb. 28. When the program was released as OSS, within 5 months this vulnerability was found and fixed. This greatly reduces contractors risks, enabling them to get work done (given this complex environment). Note also that merely being developed for the government is no guarantee that there is no malicious embedded code. pubs: AFMAN33-361; forms: AFTO53, AF673, AFSPC1648) To minimize results, use the navigation buttons below to find the level/organization you are looking for, then use the "Filter" to search at that level. However, you should examine past experience and your intended uses before depending on this as a primary mechanism for support. You will need a Common Access Card (CAC) with DoD Certificates to access DoD Cyber Exchange NIPR. There are far too many examples to list; a few examples are: The key risk is the revelation of information that should not be released to the public. Air Force rarely ranks high on recruiting lists, but this year it brought in the most three-star . The Authorized Equipment List (AEL) is a list of approved equipment types allowed under FEMA's preparedness grant programs. Q: Isnt OSS developed primarily by inexperienced students? DoD ESI is pleased to announce the Cybersecurity Multi-Award Blanket Purchase Agreements (BPAs) for Appgate, CyberArk, Exabeam, Fidelis Security, Firemon, Forcepoint, Fortinet, Illumio, LogRhythm, Okta, Ping Identity, Racktop Systems, RedSeal, Sailpoint, Tychon and Varonis Systems. Yes, both the government and contractors may obtain and use trademarks, service marks, and/or certification marks for software, including OSS. It's like it dropped off the face of the earth. These cases were eventually settled by the parties, but not before certain claims regarding the GPLv2 were decided. If this is the case, then the contractor cannot release the software as OSS without permission, because the contractor doesnt own the copyright. If that competitors use of OSS results in an advantage to the DoD (such as lower cost, faster schedule, increased performance, or other factors such as increased flexibility), contractors should expect that the DoD will choose the better bid. DAF COVID-19 Statistics - January 2022. If it is an improvement to an existing project, release it to the main OSS project, in whatever format they prefer changes. Air Force Policy Directive 38-1, Manpower and Organization, 2 July 2019 Air Force instruction 33-360, Publications and Forms Management, 1 December 2015 Air Force Manual 33-363, Management of Records, 21 July 2016 Adopted Forms AF Form 847, Recommendation for Change of Publications Army - (703) 602-7420, DSN 332. Windows Services for UNIX 3.0 is a good example of commercial use of GPL application mixing. This memorandum surveys U.S. economic sanctions and anti-money laundering ("AML") developments and trends in 2022 and provides an outlook for 2023. (See also Free Software Foundation License List, Public Domain), (See also GPL FAQ, Question Can the US Government release improvements to a GPL-covered program?). This webpage is a one-stop reference to help answer questions regarding proper wear of approved Air Force uniform items, insignias, awards and decorations, etc. A Boston Consulting Group study found that the average age of OSS developers was 30 years old, the majority had training in information technology and/or computer science, and on average had 11.8 years of computer programming experience. An example is (connecting) a GPL utility to a proprietary software component by using the Unix pipe mechanism, which allows one-way flow of data to move between software components. Examine if it is truly community-developed - or if there are only a very few developers. Thus, if there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. An Open System is a system that employs modular design, uses widely supported and consensus based standards for its key interfaces, and has been subjected to successful V&V tests to ensure the openness of its key interfaces (per the DoD Open Systems Joint Task Force). FROM: Air Force Authorizing Official . Releasing software as OSS does not mean that organizations will automatically arise to help develop/support it. If you know of an existing proprietary product meets your needs, searching for its name plus open source source may help. There are substantial benefits, including economic benefits, to the creation and distribution of copyrighted works under public licenses that range far beyond traditional license royalties The choice to exact consideration in the form of compliance with the open source requirements of disclosure and explanation of changes, rather than as a dollar-denominated fee, is entitled to no less legal recognition. Various organizations have been formed to reduce patent risks for OSS. View the complete AFI 36-2903 for more details. Many programs and DAAs do choose to use commercial support, and in many cases that is the best approach. Below are current coronavirus disease 2019 statistics for Department of Air Force personnel: *These numbers include all of the cases that were reported since our last update on Jan. 18. In Wallace vs. FSF, Judge Daniel Tinder stated that the GPL encourages, rather than discourages, free competition and the distribution of computer operating systems and found no anti-trust issues with the GPL. There is a fee for registering a trademark. Software developed by US federal government employees (including military personnel) as part of their official duties is not subject to copyright protection in the US (see 17 USC 105). For example, software that is released to the public as OSS is not considered commercial if it is a type of software that is only used for governmental purposes. There are other ways to reduce the risk of software patent infringement (in the U.S.) as well: Yes, both entirely new programs and improvements of existing OSS have been developed using U.S. government funds. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network infrastructures. The release of the software may be restricted by the International Traffic in Arms Regulation (ITAR) or Export Administration Regulation (EAR). This process provides a single, consolidated list of products that have met cybersecurity and interoperation certification requirements. An Airman at the 616th Operations Center empowered his fellow service members by organizing a professional development seminar for his unit. If there is an existing contract, you must check the contract to determine the specific situation; the text above merely describes common cases. On approval, such containers are granted a Certificate to Field designation by the Air Force Chief Software Officer. Thus, the government may receive custom-developed, non-commercial software as a deliverable and receive unlimited rights for that new code, but also acquire only commercial rights to the third-party (possibly OSS) components. The GPL and government unlimited rights terms have similar goals, but differ in details. OSS implementations can help rapidly increase adoption/use of the open standard. DSEI 2021, ExCel, LONDON, UK - 14 September 2021 - Curtiss-Wright's Defense Solutions division (Bays 22-26 ExCeL Exhibition Centre), a trusted supplier of tactical data link (TDL) software and hardware solutions engineered to succeed, announced that it has received certification from . So, while open systems/open standards are different from open source software, they are complementary and can work well together. Comfortable shoes. Be sure to consider total cost of ownership (TCO), not just initial download costs. Other documents that you may find useful include: An official website of the United States government, Frequently Asked Questions regarding Open Source Software (OSS) and the Department of Defense (DoD). Q: Does the DoD use OSS for security functions? If a government employee enhances or modifies a (copyrighted) open source software program, the resulting work is a joint work (see 17 USC 101) which is partially copyrighted and partially public domain. The resulting joint work as a whole is protected by the copyrights of the non-government authors and may be released according to the terms of the original open-source license. (US Air Force/Airman 1st Class Jacob T. Stephens) . Requiring the use of very unusual development tools may impede development, unless those tools provide a noticeable advantage. What is its relationship to OSS? Not under typical open source software licenses based on copyright, but there is an alternative with the same practical effect. Using a made-up word that has no Google hits is often a good start, but again, see the PTO site for more information. Gartner Groups Mark Driver stated in November 2010 that, Open source is ubiquitous, its unavoidable having a policy against open source is impractical and places you at a competitive disadvantage.. Execution Mixing GPL and other software can run at the same time on the same computer or network. Commander offers insight during Black History celebration at Oklahoma Capitol. REFERENCES: (a) AFI 33-210, "Air Force Certification and Accreditation (C . Note that when government employees develop software as part of their official duties, it can be protected by copyright in other countries, but note that these can only be enforced outside the US. These include: If you are looking for smaller pieces of code to reuse, search engines specifically for code may be helpful. Defense Information Systems Agency (DISA), National Centers of Academic Excellence in Cybersecurity (NCAE-C), Public Key Infrastructure/Enabling (PKI/PKE), https://dl.dod.cyber.mil/wp-content/uploads/home/img/img1.jpg. In addition, since the source code is publicly released, anyone can review it, including for the possibility of malicious code. This also pressures proprietary implementations to limit their prices, and such lower prices for proprietary software also encourages use of the standard. The Defense Innovation Unit (DIU) is a . Air Force Command and Control at the Start of the New Millennium. The United States Air Force operates a service called Iron Bank, which is the DoD Enterprise repository of hardened software containers, many of which are based on open source products. The Department of Defense invests tens of thousands of dollars in training for its Service members. Certification Report Security Target. These formats may, but need not, be the same. Q: When can the U.S. federal government or its contractors publicly release, as OSS, software developed with government funds? This is particularly the case where future modifications by the U.S. government may be necessary, since OSS by definition permits modification. The DoD already uses a wide variety of software licensed under the GPL. Software that meets very high reliability/security requirements, aka high assurance software, must be specially designed to meet such requirements. Around the Air Force: Accelerating the Legacy, Expanding Cyber Resiliency, Poppy Seed Warning. It states that in 1913, the Attorney General developed an opinion (30 Op. Can the DoD used GPL-licensed software? These included the Linux kernel, the gcc compilation suite (including the GNAT Ada compiler), the OpenOffice.org office suite, the emacs text editor, the Nmap network scanner, OpenSSH and OpenSSH for encryption, and Samba for Unix/Linux/Windows interoperability. But in practice, publicly-released OSS nearly always meets the various government definitions for commercial computer software and thus is nearly always considered commercial software. Whether or not this was intentional, it certainly had the same form as a malicious back door. Use of the DODIN APL allows DOD Components to purchase and operate systems over all DOD network . OSS licenses and projects clearly approve of commercial support. SAF/AQC 1060 Air Force Pentagon Washington, DC 20330-1060 (571) 256-2397 DSN 260-2397 Fax: (571) 256-2431 Fax: DSN 260-2431 Featured Links. can be competed, and the cost of some improvements may be borne by other users of the software. Establish vetting process(es) before government will use updated versions (testing, etc.). Q: Are non-commercial software, freeware, or shareware the same thing as open source software? (Such terms might include open source software, but could also include other software). Factors that greatly reduce this risk include: Typically not, though the risk varies depending on their contract and specific circumstance. It depends on the goals for the project, however, here are some guidelines: Public domain where required by law.